diff --git a/src/net/tls.c b/src/net/tls.c
index efecf368c..1d5a6c6d8 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2082,7 +2082,7 @@ static int tls_new_hello_request ( struct tls_connection *tls,
 	}
 
 	/* Fail unless server supports secure renegotiation */
-	if ( ! tls->secure_renegotiation ) {
+	if ( ! ( tls->secure_renegotiation && tls->extended_master_secret ) ) {
 		DBGC ( tls, "TLS %p refusing to renegotiate insecurely\n",
 		       tls );
 		return -EPERM_RENEG_INSECURE;